If the script is loaded in the host site's context (it would have to be), it knows your current location and can use DOM APIs to inspect your browsing history (on the current site, at least) and I believe on first page visit it will also be able to identify what website sent you there. It could also potentially register event listeners to watch what links you click.